Shellshock Vulnerability Used in Botnet Attacks

One of the implications of the Bash Bug vulnerability also referred to as Shellshock is that cybercriminals and attackers can use it to launch DDoS attacks against enterprises and large organizations. True enough, there are reports already mentioning that there are botnet attacks against certain institutions which employed the vulnerability. A botnet is a network of infected computers/systems.

Based on our investigation, the backdoor (which Trend Micro detects as ELF_BASHWOOP.A) launches the following commands:

kill

udp

syn

tcpamp

dildos

http

mineloris

In addition, it connects to the C&C server, 89[DOT]238[DOT]150[DOT]154 to receive commands. Note that this is the same C&C that ELF_BASHLITE.A — the malware we initially saw as the payload of the Bash exploit .The related hash for the said threat is 96498e53200cfb3947cbd5357f6833a1d0605360.

Earlier, we spotted several malware payload of the exploit code of bash vulnerability, which Trend Micro detects as:

Users are protected from this threat via its Smart Protection Network that detects the malware and blocks all related malicious URLs. For the Bash bug vulnerability, Trend Micro protects via the following solutions:

Deep Discovery rule: 1618 – Shellshock HTTP REQUEST

DPI rule: 1006256 – GNU Bash Remote Code Execution Vulnerability

For more information on the Bash bug vulnerability, you can refer to the following blog entries:

About site

This is experimental project, which search automatically antivirus, security, malware, etc. news and alerts. If you want add/delete source or post, let us know. We will add/delete it. We'd like make place, where you can find security information from various sources with correct backlink back to source.